Re: Merge of pkg_install-renovation

On Sat, Nov 08, 2008 at 12:40:39AM +0100, Thomas Klausner wrote:
> On Wed, Nov 05, 2008 at 02:35:56AM +0000, Alistair Crooks wrote:
> > But having gpg signatures is important to me,
> > and I see no reason for a regression here.
>
> Were there ever any TNF supplied binary package with GPG signatures?
>
> IMHO this feature is nice, but shouldn't hold up the merge.
The reason we need to keep the old code around for gpg signing until
the library based gpg verification is available is because the X.509
signatures onlt go some way to providing a solution.
The new code is better designed, I believe, and much cleaner, although
we need design documentation to show that we're above the "this code
was born to be hacked" level.
The rationale is not that the X.509 code is up to the job, but rather
that there is no infrastructure in place to support X.509 signatures
for verification of binary packages. I've taken part in gpg signing
events right around the world - I've yet to take part in X.509 ones,
or be asked to sign someone's X.509 key, or to verify anyone's id for
the purposes of engendering trust. I know of no X.509 key servers, or
any out-of-band means of verifying trust levels, or the X.509
signature itself. Now people can wave hands and other things, but
however distasteful the gpg web of trust is to you, it does exist.
There is no equivalent for X.509. Furthermore, there is no policy
backing the nbsvtool signing mechanism, which is a definite must
before anything can be done with it.
It is the equivalent of saying that hydrogen cells are a much better
way of generating energy for cars, so we're moving over to using them
in place of fossil-fuels. Quite right, and admirable. And then not
providing a distribution mechanism for H cells. Another example would
be to say that the banks make far too much money off others' misery
with credit cards, so that we will now base our work on a new,
yet-to-be-rolled-out payment mechanism. Again, admirable, but only
half-there.
So what needs to happen is for the existing gpg signature verification
code to stay around until the library-based gpg verification is
completed. Yes, I know this is a pain, but it's necessary for now.
Regards,
Alistair